Getting past “Just Compliance”

I have been a cyber security practitioner for over 20 years and over the last 10 years I have also been fortunate enough to have taught or presented to, on average, 1000 students a year. I have always taken time to chat to the students to understand the battles they have (both against attackers and internal politics) and the tools they given to defend their organisations. One of the most frustrating and recurring themes I hear about is how to get the board to move away from a compliance only focus – “If we pass the compliance audit we are secure; and while we are secure no one gets fired #win.”

(The hamster wheel of Compliance Auditing)

Compliance driven purchasing and strategies can be a double edged sword in the implementation of a cyber security measures.  In the early days of an organisation’s security maturity, there are real benefits from the structure dictated by public standards like Sarbanes-Oxley (SOX), Control Objectives for Information Technology (CORBIT) or Payment Card Industry (PCI).  However, it is worth remembering that to executives, achieving regulatory or trade-body compliance represents a career safe zone.  Furthermore, compliance-implementation-guides represent well-worn paths to accepted controls that evidence can show reduces the organisation’s overall the security based risks.  From an exec’s point of view, what’s not to like?

Well from a long term security point of view lots! If you thought getting the Board to adopt these standards was hard; just try getting them to give them up when they have been on them even a few short months.

By promoting a standard to executives that are not security-mature you are telling them that the standard is a good thing “Trust the standard” you say, and that is good in the early days of bringing control and resources to the security of the infrastructure and environment.  What it is often hard to get the executives to understand is that compliance alone will not make you secure.  What’s more is that it can be hard to divert funds from the compliance budget to places which will bring a real security benefit and very quickly you can see future long term funds being diverted to the hamster wheel of audit and post audit remediation/improvement.

(Just a list of things to make attacks harder)

It is important to remember that many compliance standards are simply industry-focused “list of things to implement to make it harder for attackers to get onto your network”. While they have been formulated by experienced professionals and peer reviewed they are often derived and mapped against mature secure organisations.

To put this into perspective, consider a driving test.  The driving examiner (the auditor) will check that a new driver (the organisation) can do the necessary vehicular maneuverers safely (the requirements); if they complete them all correctly on the day (the audit), they pass their driving test and are allowed to drive on the road (certified).  Are these fledgling drivers experienced and good drivers?  No, the new-drivers age group in every country on the planet are some of the most at risk road users.  Do you drive like you did on your test?  Are you a better driver now or do you fail many of the technical requirements?  A good driver can pass a driving test, but a just-past-their-test driver is not necessarily a good one.  Well the same goes for security standards and organisations.

Every big breach notification in the last 3 years was made by a company that was, until their public announcement, compliant with many of the standards mentioned above.  But how come they got breached? Well the driving analogy works well for organisational security.  Just like most drivers don’t drive like they did on their driving test, most organisations don’t follow security compliance rules and procedures on a day-to-day basis, and that means they and the board are being lulled into a false sense of security in one of three common ways:

  1. They were “Compliant for a day” – as in they never followed the principals and practices in the many manuals they submitted for audit, or if they did it was only for the day of the audit.
  2. The parts of the network used to manage and support the fully compliant parts of the IT systems were not protected to the same level or the power users (system admins) didn’t follow any of the approved processes to do their work.
  3. They had such a small part of their operation certified and audited that there was more than enough for the attackers to get into and plunder.

Remember that these organisations spent hundreds of thousands of pounds on training, tools, infrastructure and they still got breached.  The PWC Information Security Breaches report from 2015[1] makes particularly stark reading: 90% of large organisations had a breach and the average number of breaches in large organisations was fourteen (14), but most worryingly was the average cost was £1.46M – £3.14M.

So how do we make things better

Well there are three steps to making thing better in the medium and long term:

  1. Use Compliance requirements as a vehicle to get a top level down security focus and an understanding of how attacks occur in organisations – but don’t be constrained (or straight-jacketed) by them.
  2. Conduct an end to end review of the organisation from two distinct viewpoints – an attackers and defenders but not old school penetration testing with goals and in-scope/out-of-scope limitations. Employ a red team and ask them to “come at me bro”, no limits on constraints – just like the real attackers.
    1. Have the red team demonstrate to the executives how they got in and what data they stole.
    2. Then let your defenders understand the attacks and let them plan how you grow, over the next 3-5 years, into a compliant, robust and secure environment.
  3. Then merge the data you get from one and two above to formulate your strategy for your systems and budgets.

Finally, remember that a secure organisation will usually be fully compliant, but a fully compliant one may not be secure.